Re: Should we drop the fully qualified server name requirement?

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 11 Dec 2008 13:41:03 -0700

On Thu, 2008-12-11 at 21:11 +0100, Henrik Nordstrom wrote:
> tor 2008-12-11 klockan 12:53 -0700 skrev Alex Rousskov:
>
> > Would removing the requirement open more doors for malicious attacks via
> > "looking like normal" URLs? For example, is it easier for somebody with
> > local access to change the name resolution for "citi" than for
> > "citi.com"?
>
> I don't see how it's related.
>
> My question is on Squid's requirements on the hostname of the server
> where Squid runs, not proxied hostnames.

Ah, I see. We already have a visible host name option for that and it
accepts non-FQDNs, right? I agree that this requirement is rather
idealistic, but I would like to hear why Kinkie would prefer to keep it.

What are we going to do about loops and absolute exchange URLs if the
Squid host name is not known?

Thank you,

Alex.

> I propose that we drop this requirement, only warn if we can't figure
> out the local hostname FQDN.
>
> The local server FQDN is used for
>
> - Via headers, as a unique identifier. used for loop prevention.
>
> - Absolute URLs pointing to the server. I.e. icons if use of absolute
> URLs have been enabled. (default shortnames without host).
>
> - Absolute URLs for digest & netdb exchanges.
Received on Thu Dec 11 2008 - 20:42:25 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 12 2008 - 12:00:07 MST